查人人中国名人网2016成都最好吃的串串:网站的SQL数据库安全问题!
来源:百度文库 编辑:查人人中国名人网 时间:2024/04/26 15:28:07
我刚做了个比较完整的网站,可以注册,充值等等,用的是sql数据库,但并没有进行过任何的安全处理,也不了解应该如何加密,请问我应该怎样做,应该加如一些什么语句或设置?
有位朋友是这样说的:
'替换非法字符函数
Function SQLFixup(TextIn)
SQLFixup = Replace(TextIn, "'", "''", 1)
SQLFixup = Replace(TextIn,Chr(0),"", 1, -1, 1)
SQLFixup = Replace(TextIn, """", """, 1, -1, 1)
SQLFixup = Replace(TextIn,"<","<", 1, -1, 1)
SQLFixup = Replace(TextIn,">",">", 1, -1, 1)
SQLFixup = Replace(TextIn, "script", "script", 1, -1, 0)
SQLFixup = Replace(TextIn, "SCRIPT", "SCRIPT", 1, -1, 0)
SQLFixup = Replace(TextIn, "Script", "Script", 1, -1, 0)
SQLFixup = Replace(TextIn, "script", "Script", 1, -1, 1)
SQLFixup = Replace(TextIn, "object", "object", 1, -1, 0)
SQLFixup = Replace(TextIn, "OBJECT", "OBJECT", 1, -1, 0)
SQLFixup = Replace(TextIn, "Object", "Object", 1, -1, 0)
SQLFixup = Replace(TextIn, "object", "Object", 1, -1, 1)
SQLFixup = Replace(TextIn, "applet", "applet", 1, -1, 0)
SQLFixup = Replace(TextIn, "APPLET", "APPLET", 1, -1, 0)
SQLFixup = Replace(TextIn, "Applet", "Applet", 1, -1, 0)
SQLFixup = Replace(TextIn, "applet", "Applet", 1, -1, 1)
SQLFixup = Replace(TextIn, "[", "[")
SQLFixup = Replace(TextIn, "]", "]")
SQLFixup = Replace(TextIn, """", "", 1, -1, 1)
SQLFixup = Replace(TextIn, "=", "=", 1, -1, 1)
SQLFixup = Replace(TextIn, "'", "''", 1, -1, 1)
SQLFixup = Replace(TextIn, "select", "select", 1, -1, 1)
SQLFixup = Replace(TextIn, "execute", "execute", 1, -1, 1)
SQLFixup = Replace(TextIn, "exec", "exec", 1, -1, 1)
SQLFixup = Replace(TextIn, "join", "join", 1, -1, 1)
SQLFixup = Replace(TextIn, "union", "union", 1, -1, 1)
SQLFixup = Replace(TextIn, "where", "where", 1, -1, 1)
SQLFixup = Replace(TextIn, "insert", "insert", 1, -1, 1)
SQLFixup = Replace(TextIn, "delete", "delete", 1, -1, 1)
SQLFixup = Replace(TextIn, "update", "update", 1, -1, 1)
SQLFixup = Replace(TextIn, "like", "like", 1, -1, 1)
SQLFixup = Replace(TextIn, "drop", "drop", 1, -1, 1)
SQLFixup = Replace(TextIn, "create", "create", 1, -1, 1)
SQLFixup = Replace(TextIn, "rename", "rename", 1, -1, 1)
SQLFixup = Replace(TextIn, "count", "count", 1, -1, 1)
SQLFixup = Replace(TextIn, "chr", "chr", 1, -1, 1)
SQLFixup = Replace(TextIn, "mid", "mid", 1, -1, 1)
SQLFixup = Replace(TextIn, "truncate", "truncate", 1, -1, 1)
SQLFixup = Replace(TextIn, "nchar", "nchar", 1, -1, 1)
SQLFixup = Replace(TextIn, "char", "char", 1, -1, 1)
SQLFixup = Replace(TextIn, "alter", "alter", 1, -1, 1)
SQLFixup = Replace(TextIn, "cast", "cast", 1, -1, 1)
SQLFixup = Replace(TextIn, "exists", "exists", 1, -1, 1)
SQLFixup = Replace(TextIn,Chr(13),"<br>", 1, -1, 1)
End Function
给你一段防注入的函数
使用方法
SQLFixup(参数值)
但是我看不太明白!那段代码怎么使用啊?
您又有什么建议?
有位朋友是这样说的:
'替换非法字符函数
Function SQLFixup(TextIn)
SQLFixup = Replace(TextIn, "'", "''", 1)
SQLFixup = Replace(TextIn,Chr(0),"", 1, -1, 1)
SQLFixup = Replace(TextIn, """", """, 1, -1, 1)
SQLFixup = Replace(TextIn,"<","<", 1, -1, 1)
SQLFixup = Replace(TextIn,">",">", 1, -1, 1)
SQLFixup = Replace(TextIn, "script", "script", 1, -1, 0)
SQLFixup = Replace(TextIn, "SCRIPT", "SCRIPT", 1, -1, 0)
SQLFixup = Replace(TextIn, "Script", "Script", 1, -1, 0)
SQLFixup = Replace(TextIn, "script", "Script", 1, -1, 1)
SQLFixup = Replace(TextIn, "object", "object", 1, -1, 0)
SQLFixup = Replace(TextIn, "OBJECT", "OBJECT", 1, -1, 0)
SQLFixup = Replace(TextIn, "Object", "Object", 1, -1, 0)
SQLFixup = Replace(TextIn, "object", "Object", 1, -1, 1)
SQLFixup = Replace(TextIn, "applet", "applet", 1, -1, 0)
SQLFixup = Replace(TextIn, "APPLET", "APPLET", 1, -1, 0)
SQLFixup = Replace(TextIn, "Applet", "Applet", 1, -1, 0)
SQLFixup = Replace(TextIn, "applet", "Applet", 1, -1, 1)
SQLFixup = Replace(TextIn, "[", "[")
SQLFixup = Replace(TextIn, "]", "]")
SQLFixup = Replace(TextIn, """", "", 1, -1, 1)
SQLFixup = Replace(TextIn, "=", "=", 1, -1, 1)
SQLFixup = Replace(TextIn, "'", "''", 1, -1, 1)
SQLFixup = Replace(TextIn, "select", "select", 1, -1, 1)
SQLFixup = Replace(TextIn, "execute", "execute", 1, -1, 1)
SQLFixup = Replace(TextIn, "exec", "exec", 1, -1, 1)
SQLFixup = Replace(TextIn, "join", "join", 1, -1, 1)
SQLFixup = Replace(TextIn, "union", "union", 1, -1, 1)
SQLFixup = Replace(TextIn, "where", "where", 1, -1, 1)
SQLFixup = Replace(TextIn, "insert", "insert", 1, -1, 1)
SQLFixup = Replace(TextIn, "delete", "delete", 1, -1, 1)
SQLFixup = Replace(TextIn, "update", "update", 1, -1, 1)
SQLFixup = Replace(TextIn, "like", "like", 1, -1, 1)
SQLFixup = Replace(TextIn, "drop", "drop", 1, -1, 1)
SQLFixup = Replace(TextIn, "create", "create", 1, -1, 1)
SQLFixup = Replace(TextIn, "rename", "rename", 1, -1, 1)
SQLFixup = Replace(TextIn, "count", "count", 1, -1, 1)
SQLFixup = Replace(TextIn, "chr", "chr", 1, -1, 1)
SQLFixup = Replace(TextIn, "mid", "mid", 1, -1, 1)
SQLFixup = Replace(TextIn, "truncate", "truncate", 1, -1, 1)
SQLFixup = Replace(TextIn, "nchar", "nchar", 1, -1, 1)
SQLFixup = Replace(TextIn, "char", "char", 1, -1, 1)
SQLFixup = Replace(TextIn, "alter", "alter", 1, -1, 1)
SQLFixup = Replace(TextIn, "cast", "cast", 1, -1, 1)
SQLFixup = Replace(TextIn, "exists", "exists", 1, -1, 1)
SQLFixup = Replace(TextIn,Chr(13),"<br>", 1, -1, 1)
End Function
给你一段防注入的函数
使用方法
SQLFixup(参数值)
但是我看不太明白!那段代码怎么使用啊?
您又有什么建议?
代码使用办法:
比如网上有两个个输入筐,一个是用户名,一个用户密码。
那么SQL语句验证密码是
string userid = txtUserid.Text;
string szSQL = "select * from user where userid = '" + userid + "';
如果要防止sql注入
要写成string userid = SQLFixup(txtUserid.Text);
string szSQL = "select * from user where userid = '" + userid + "';